 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> Heheh. These are the people who thought "hey, let's make it so that
>> every home user has full admin rights by default". Yes, I'm sure they
>> know a thing or two about security. ;-)
>
> Um...
>
> Wrong perspective. Development was actually from CP/M's "access control?
> just lock the f*** room door" concept to there.
Yes. And it has taken them a spectacularly long time to figure out that
this model is ineffective today.
(Apparently this is the company that thought that networks were just a
"fad" that would go away after a while...)
> Oh, and didn't they go for "hey, let's make it so that every home user
> does /not/ have full admin rights by default" when they introduced
> Vista?
Yes.
They didn't do it in Windows 2000, they didn't do it in Windows XP, only
in Windows Vista did they *finally* get it right.
Granted, backwards compatibility didn't help them at all. But I'm pretty
sure there are better solutions than what they actually came up with.
The company's goals seem to be to promote a /sense/ of security rather
than actually /being/ secure.
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Am 06.06.2011 21:02, schrieb Orchid XP v8:
>>> Heheh. These are the people who thought "hey, let's make it so that
>>> every home user has full admin rights by default". Yes, I'm sure they
>>> know a thing or two about security. ;-)
>>
>> Um...
>>
>> Wrong perspective. Development was actually from CP/M's "access control?
>> just lock the f*** room door" concept to there.
>
> Yes. And it has taken them a spectacularly long time to figure out that
> this model is ineffective today.
Not really. It has been around in NT since when? Ever since the first
version, I guess.
> (Apparently this is the company that thought that networks were just a
> "fad" that would go away after a while...)
If that's what they had thought, they surely wouldn't have attempted to
roll their own network.
But they possibly didn't expect a single network to win over all the others.
I think none of the network operators did back then. And definitely they
didn't expect a (then) /non-commercial/ network to make the race.
>> Oh, and didn't they go for "hey, let's make it so that every home user
>> does /not/ have full admin rights by default" when they introduced
>> Vista?
>
> Yes.
>
> They didn't do it in Windows 2000, they didn't do it in Windows XP, only
> in Windows Vista did they *finally* get it right.
>
> Granted, backwards compatibility didn't help them at all. But I'm pretty
> sure there are better solutions than what they actually came up with.
> The company's goals seem to be to promote a /sense/ of security rather
> than actually /being/ secure.
Yes. I guess customers would go rampant if they gave them a somewhat
secure system - because people would (a) complain that they have to
invest time in security housekeeping (you can't just "buy" security), or
(b) complain that the system still isn't /totally/ secure (ignoring the
fact that such a thing as a totally secure system exists only beyond the
event horizon of a black hole).
Typical end users want to just "buy" their security (or, better yet, get
it for free), and not invest any of their own time into it. So Microsoft
serves this market segment with the best security you can buy for money
alone: The mere illusion of it.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Am 06.06.2011 10:28, schrieb Invisible:
> I prefer the old days of the Amiga, where software almost always did
> what it was supposed to. (Or else failed to work completely.) None of
> this "sometimes it works, sometimes it doesn't" nonsense. (Or "if works
> if you press the buttons in this order, but no other order".)
>
> This kind of thing seems to be endemic to Windows (and now Linux). For
> example, when I was setting up our old file server, I discovered that
> the only way to make the tape drive work was some long, complex routine
> (which I eventually wrote down) where you uninstall and reinstall the
> hardware drivers multiple times, rebooting in between, in just the exact
> right sequence, and then it works perfectly. If you don't do this, the
> device just refuses to function. WTF?
Increase in system complexity, anyone?
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 6/6/2011 11:22, Orchid XP v8 wrote:
> ...which the on-demand scanner is *still* going to detect...
Again, the on-demand scanner is the worst possible way, efficiency-wise, to
detect such things. Where "efficient" means "minimal impact to actual
users." It should be a last resort, not a primary mechanism.
>>>> Try Microsoft Security Essentials. It's really good.
>>> It has "Microsoft" in the name. Why would it be good?
>>
>> Because it's written by the same people whose OS you're trying to
>> protect is?
>
> Heheh. These are the people who thought "hey, let's make it so that every
> home user has full admin rights by default". Yes, I'm sure they know a thing
> or two about security. ;-)
I'm sure they do. And I'm sure every programmer in Microsoft *wanted* to not
make that the default. That business cases mean you lessen security doesn't
mean the security team doesn't know how to do security.
>>> That's a valid argument for a file server. But even in that case, you (or
>>> somebody else) still has to *access* the file.
>>
>> But the other person might not have a virus scanner.
>
> If the file is on a file server, then each time you try to access it, the AV
> product on the server will perform an on-demand scan.
Sorry? What file server? I'm pretty sure Linux doesn't have a virus scanner
that will detect Windows viruses, for example.
> What, this scenario didn't show up in testing? "We want to clean a virus
> that's currently running" seems like more or less test #2 or #3 in any sane
> test suite...
As I said, "dunno."
--
Darren New, San Diego CA, USA (PST)
"Coding without comments is like
driving without turn signals."
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 6/6/2011 11:52, clipka wrote:
> Wrong perspective. Development was actually from CP/M's "access control?
> just lock the f*** room door" concept to there.
I still remember being amused at the Burroughs mainframe we were looking at
buying back then. We asked about multi-user features, and they said "code a
password request into your programs." We asked something else along those
lines, and they said "that's why each terminal has a keyhole."
> Oh, and didn't they go for "hey, let's make it so that every home user does
> /not/ have full admin rights by default" when they introduced Vista? Might
> be wrong here, but didn't both software and users kinda go amok back then?
Exactly. It wasn't that they didn't understand what needed to be done, but
that different demands were made. The president would be safer if he never
appeared in public, also.
--
Darren New, San Diego CA, USA (PST)
"Coding without comments is like
driving without turn signals."
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 6/6/2011 12:02, Orchid XP v8 wrote:
> Yes. And it has taken them a spectacularly long time to figure out that this
> model is ineffective today.
Not really. They figured if you had a system where it was single-user,
adding access control wouldn't help unless you were smart enough to not get
infected to start with. If you had a system that was multi-user, you
probably already know how to create accounts that aren't super-user.
> (Apparently this is the company that thought that networks were just a "fad"
> that would go away after a while...)
Microsoft had networking before TCP/IP was popular enough to need DNS.
> They didn't do it in Windows 2000, they didn't do it in Windows XP, only in
> Windows Vista did they *finally* get it right.
If you had multiple users, you could create privileged users or
non-privileged users. If you had a multi-user networked machine, chances are
you were running AD or some such and didn't have an admin account.
> Granted, backwards compatibility didn't help them at all. But I'm pretty
> sure there are better solutions than what they actually came up with.
Remember that when you're talking about security, the result is to break
things. Security in this sense means "preventing things from working as
programmed." Hence, you can't increase security effectively without breaking
backward compatibility. It's a careful balancing act you have to do.
--
Darren New, San Diego CA, USA (PST)
"Coding without comments is like
driving without turn signals."
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Am 06.06.2011 22:02, schrieb Darren New:
> Sorry? What file server? I'm pretty sure Linux doesn't have a virus
> scanner that will detect Windows viruses, for example.
It very bloody likely does.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Am 06.06.2011 22:02, schrieb Darren New:
> Again, the on-demand scanner is the worst possible way, efficiency-wise,
> to detect such things. Where "efficient" means "minimal impact to actual
> users." It should be a last resort, not a primary mechanism.
You need an on-demand scanner though, lest a program opens a file that
wasn't there when you last had a chance to check it.
Plug in a USB stick full of data, and open something from it right away:
In that scenario, on-demand is the /only/ efficient mechanism. You don't
want to tell the user, "sorry pal, that file you're trying to open
happens not to have been scanned yet - and there's still 4236 other
files scheduled to be scanned before it."
Likewise, you don't want to clog up the system for minutes just because
someone inserted a USB stick he only reads one file from.
So in the sense of "total computing & I/O time spent for virus
scanning", on-demand may be the worst - but "felt" system speed is not
measured in such ways.
Also note that even if a file has been scanned and hasn't changed, the
virus database may have; so if you don't want to dig through all files
on the system every time the virus database changes, on-demand scanning
provides an advantage there as well. (Ideally of course in that case the
file would only be checked against virus signatures that were installed
after the file was last checked.)
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 6/6/2011 15:30, clipka wrote:
> You need an on-demand scanner though, lest a program opens a file that
> wasn't there when you last had a chance to check it.
Or you have a USN journal. :-)
But yes, if you want to be sure, an on-demand scanner is necessary. It's
just not a good idea to have it as the first and/or only option.
> So in the sense of "total computing & I/O time spent for virus scanning",
> on-demand may be the worst - but "felt" system speed is not measured in such
> ways.
Yep. In those specific scenarios, where you suddenly add a bunch of files to
the file system *without* them passing through RAM as you do so, on-demand
works well.
> Also note that even if a file has been scanned and hasn't changed, the virus
> database may have;
Also a good point. As I said, on-demand should be the last resort, not the
first. Background-scanning while the screen saver is on of all executables
when the database changes or when they're written is far more efficient than
actually blocking a person's access while you scan an entire file. Managing
to do the scan as part of the VM paging would be even better, but that I
imagine would be hard to do.
--
Darren New, San Diego CA, USA (PST)
"Coding without comments is like
driving without turn signals."
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 06/06/2011 05:45 PM, Darren New wrote:
> On 6/6/2011 1:28, Invisible wrote:
>> I prefer the old days of the Amiga, where software almost always did
>> what it was supposed to.
>
> That particular one sounds like a permissions problem to me. :-)
I content that it was more a philosophical thing. Like, if you tried to
use something and it didn't quite work right, you threw it away and used
something else that /did/ work perfectly 100% of the time. If your
computer randomly malfunctioned from time to time, you would damned well
go find out /why/. Because, you know, this kind of thing /isn't normal/.
Today the populous has somehow been convinced that it /is/ perfectly
normal and /acceptable/ for computers to not work right. Given such an
attitude, what incentive is there for software writers to bother fixing
their stuff?
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
|
|
